Expert advice on cybersecurity, cybersafety and cybercrime. Using real incidents, I explain why cyber risks occur, what form they take, and how they affect cybercitizens as individuals, employees, citizens and parents. Opinions expressed in this blog represent my personal views

Pages

Wednesday, October 17, 2012

Indian newspapers recently carried reports captioned “Crimes
against women: Send porn MMS, emails, land in jail for 3 yrs, pay Rs 50,000
fine. Cybercrime through filming
and distributing of porn mmses of unsuspecting women, have always captured newspaper
headlines in India. Publicized cases have been few and convictions almost
negligible.

According to these reports an
amendment to the Indecent Representation of Women (Prohibition) Act 1986 was
cleared by the Indian Cabinet which brought in stringent penalties for
transgressors using electronic media. Until now the 26 year old act, only covered
print advertisement and publications

When I read the fine print of
the amendment it struck me that this was not in the least a law against
cybercrime, only an amendment to include the indecent representation of women
in electronic advertisements. Beyond proving how newspaper headlines can be
fallacious, it amply establishes that cyber laws are daunting to enact, and far
from practical implementation.

Trying to amend old laws to
accommodate new behavior in the Internet era is fundamentally flawed, though it
may be a quick fix.In the past, by using
print media, it was arduous for ordinary individuals to distribute indecent
content to scale. Consequently, when the act was written, twenty-six years ago,
it never considered this as an issue. But today, in the electronic world,
equipped with a mobile phone camera and the Internet, anyone with a dirty motive
or opportunity can do it. Such indecent online postings by solitary individuals
like trolls, bullies, pornographers, or even cybercitizens settling scores online
are commonplace.

New laws to tackle cybercrime must be written which embody the new genre
of criminal behavior and cybercitizen misdemeanors.

Monday, October 15, 2012

The
phone rang once and was instantly cut. Sixty year old Sally gave a passing
glance at the missed call number which began with + 22 – her local Mumbai code
and called back.At the other end of the
line, she heard the mournful shrieks of a women being beaten, and the savage
voice of a man hurling constant abuses. Worried, confused and in fear that she
may have received an SOS call, she asked “Who’s there, Is there a problem, Stop
it”.

In
the following 3-4 minutes, before she had time to think clearly, her phone
conversation was cut short, due to a lack of funds. The Rs 200 ($ 4) she had
recently topped up her account with, was exhausted. At the mobile store, she
was informed that as she made a call to a premium rate number which charged Rs
50 per minute, her balance was consumed. There was no refund. The telecom
provider was not at fault. She should have checked the number before she made
the call. Only later, did she read in the national newspaper that such frauds
were widespread.

As
she recounted this incident to her neighbor, she asked “If the frauds were so
well known should not the telecom company and the government have done
something about it”.

India is a large prepaid market, and international fraudsters
have conjured several tricks to coax vulnerable people into making such calls
to international premium rate numbers. Calls are charged at a premium to normal
calls. Such numbers are regularly used for adult sex, directory enquiries and voting
for contestants during game shows.

Fraudsters buy
these premium rate numbers from international telecom companies, and earn money
by sharing the revenue for calls made to these numbers. They grow their earnings
by raising call volumes using automated dialers and other such schemes to dupe
victims into calling these numbers. The revenue sharing arrangement, some would
argue, reduces a telecom’s self motivation to check such activity, unless
forced to do so by law or regulation.

The fraudster’s first objective is to dupe people into making
a call to the premium rate number. They do this by making several “ ring once
and cut” (missed) calls to a victims phone, thereby creating a sense of urgency
to call back, and to make the missed call
number appear local by using international numbers which are similar to local
codes. For example an international number +224 may be mistaken for the “022”
Mumbai code, by individuals unfamiliar with international dialing.

The second objective is to try and keep the victim
engaged on the call for as long a time as possible. A longer duration call
results in higher revenue to the fraudster. This is usually done, by playing a
recorded audio tape of a women being abused, having sex or by using a real life
operator masquerade as an agent for schemes such as a lottery the victim is
supposed to have won. The operator takes time to brief the victim on the win,
and even notes down personal details such as his or her postal address to mail
the award too. Personal information can later be used for other types of online
scams.

Stolen phones are also used to call premium rate
numbers.Fraudsters usually do this immediately
after the theft. Tourists who lose their
phones abroad will quickly find out that their set credit limits do not apply -
due to the delay in receiving billing data from the foreign carrier. Bills may
be huge.

Safety
Tips to Keep in Mind to Avoid Call Fraud

1.Do
not call back on unknown international numbers. Be suspicious of “a one ring
and cut” call.

2.Disable
the international dialing facility, if not needed

3.Report
a stolen phone and have the number blocked immediately

Actions
Telecom operators and the Law can take

1.Telecoms
should enable international calling on request, and not by default.

2.Telecoms
should detect if premium rate numbers were used fraudulently through a study of
call patterns

3.Governments
should enact strict laws and penalties to discourage such crimes

Wednesday, October 10, 2012

Most of us routinely carry many portable computing devices
which vary in shape, colour, size and function. From expensive laptops, tablets
and smartphones to cheaper eBook readers, portable hard drives and USB
drives.Invariably, some of us lose one
or more of these items through theft, physical damage, electronic failure or
misplacement.

For an individual owned device, the largest cost is the
replacement value of the asset.But
there are other inherent but non-tangible risks; such as the disclosure of
personal data like intimate pictures and private correspondence, the potential
misuse of email and social network accounts, and the access to stored business
data and emails.

Being aware off and alert in the situations where the
probability of losing these devices is the highest - is in itself an effective
safeguard against loss. Based on statistics, theft is most likely to
occur at home or from a car, physical damage through lax handling
during travel, and misplacement at security checkpoints in airports, hotel rooms
and in rented cars. Individuals are most vulnerable when in a hurry, have things
on their mind, act carelessly or in anger and carry to many gadgets.

Safety
tips that can be kept in mind are:

1.Label
the device with your name, address, email id and telephone number to assist in its
return

2.Use
full disk encryption to prevent access to data - both personal and business

3.Use strong
passwords to log onto the Operating System (e.g. Windows) to delay access to
email and social networking application where passwords were automatically saved
by the browser. We can only delay and not prevent access, as the operating
system password can be found out using password cracking tools.

4.Take
backups

5.Use
protective cases to prevent physical damage during travel

6.Immediately
change all passwords to email and social networking applications where
passwords were saved by the browser. Preferably, disable the browser function
which saves passwords and take the trouble to key in passwords each time.

Monday, October 8, 2012

While preaching
the Sunday sermon, our parish priest gave a vivid example of how a young mother
taught her ten year old son, a lasting lesson on keeping secrets.

He said
“Shirley was Beth’s neighbor and her best friend.Animatedly, over a cup of tea, at Beth’s
house she poured out the problems she was facing with her young daughter. As
she left, she asked Beth to keep what she told her a secret, as it would affect
her relationship with her daughter, if she or others came to know.

Later, Beth
realized that here ten year old son had overheard the entire conversation. She
called him and said “Ryan, if Shirley had to leave her purse in our house
today, would we give it to anyone or only to her”. Ryan replied, “Only to her
mama”. Then Shirley said, “Today, she left something even more valuable when
she shared her problems with me. We do not have the right to share them with
anyone”.

In this simple way she
taught her child the meaning of confidentiality.

In a similar
way, we as employees share an equal, or greater, responsibility to protect
corporate and customer personal data. Organizations, like individuals, have
their own set of confidential and personal customer data to safeguard against
loss, or theft by competitors and criminals. Companies need to keep secrets to
protect business interests and keep certain decisions confidential, safeguard
new product development, ensure customer data privacy and keep design secrets under
wraps as long as needed

Sunday, October 7, 2012

A flash crash
at the National Stock Exchange in India, brought down the Nifty (stock index) by
15.5%, and shut down the exchange for a short period of time. Circuit breakers
were triggered after a trader erroneously mistyped a single large order into
the system - interchanging the number of shares to be sold with the value of the
trade. The incident exposed two types of systemic failures – the inability to prevent
erroneous trade entries of abnormally large magnitude by traders, and the failure
of processes, software and systems of the exchange to swiftly freeze trade and shut
down the market, once the market volatility threshold of 10% was breached.

Most believe
that the definition of “Security” in Information Security is
only restricted to the set of measures an organization uses to protect
against malicious activities of external agents and company employees. But,
this is partly true – information security ensures not only the confidentiality,
integrity and availability of information; against external threats but also
from mistakes, errors, and faulty process and system design.

A good
security plan and its implementation will always take into account all the potential
misuse scenarios’ which have a harmful effect to an organizations reputation,
assets or compliance mandates. In layman’s terms- actions both malicious
and inadvertent that endangers a business.

Most data
breaches are due to simple acts of omission such as technical misconfigurations
by system administrators, use of default passwords and inadequate operational checks
and balances. Security, if well thought off and implemented can prove to be a
lifesaver by reducing the occurrence of operational risks in an organization’s
day to day operations.

The trading
firm, in the above incident had to purchase the shares back at higher prices to
stay in business. The cost to the company amounted to 50% of its net worth. Had
the firm put in place relevant checks and balances to validate large trades,
before they were keyed in the system by traders, they would have been spared the
financial loss.

On a different
note, a similar situation could have been arisen, if a malicious hacker or disgruntled
informed employee misused the system to crash the exchange with the execution
of a single large trade. An experienced security
professional would have brought in this perspective through a “misuse” scenario
while designing or reviewing the design of trading processes and software, and
recommended preventive controls.

Awards

About Me

Security author and passionate blogger @LuciusonSecurity writing on risks that affect Internet users such as cyber crime, defamation, impersonation, privacy and security. Working hard to reduce cyber risks to some of the world's largest businesses. Find me on Twitter @luciuslobo or Linkedin at http://in.linkedin.com/in/luciuslobo